Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
 Documentation
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Your health 
 » Mac support 
 » Linux support 
 » Windows PC support 

VPN FAQs

These are some of the most commonly asked questions about using the Cisco VPN client in the SCS environment. Additional information about using the VPN software and troubleshooting problems can be found in the installation information for your platform and the Cisco VPN client documentation (off-site link, will open in a new browser window).

On this page: General FAQs

  1. I can't get the client because I have no network access. What do I do?
  2. Do I need VPN if I dial up through the SCS modems?
  3. Can I use VPN to gain access to SCS services from a non-SCS host with a 128.2.*.* IP address?
  4. What does it mean to be connected to the VPN concentrator?
  5. Will VPN work with my wireless home network?
  6. Will I be able to use multiple machines at home?
  7. Will I be able to access my machines at home from my other machine at home, when they're both using VPN?
  8. How does the tunneling work?
  9. Can I configure what goes down the VPN tunnel?
  10. I want to have multiple VPN tunnels going at once on multiple machines, behind a Linksys box. Will that work?
  11. I cannot access the IEEE Xplore website or other websites.
Linux-specific FAQs
  1. What types of traffic do i need to allow if I am running a Linux firewall?
Windows-specific FAQs
  1. Since Win2K has built-in support for VPN, why do I need to install special VPN software?
  2. I can't see the network neighborhood or print to the domain printers. What can I do?
  3. I'm currently running Black Ice (or ZoneAlarm) on my home machine. Will this interact with VPN in some way I need to know about (e.g., Do I need to unblock certain ports or machines)?
  4. The VPN client displays "stateful firewall (always on)". Is it doing its own firewall? Should I stop Black Ice?
  5. I cannot access the Exchange Server what is wrong?

General VPN FAQs

  1. I can't get the client because I have no network access. What do I do?

    VPN is not a method for accessing the Internet. To get on the Internet, you must contact an Internet service provider. VPN lets you use dial-up, DSL, or cable connections. Get the connection first, then download the client.

    If you have not done this and want to install the VPN client anyway, contact us and we may be able to make you a CD copy of the installer and install instructions. You will need to come to the SCS Help Desk to pick it up.

  2. Do I need VPN if I dial up through the SCS modems?

    No. When you dial in through our modems, you are assigned an SCS IP address.

  3. Can I use VPN to gain access to SCS services from a non-SCS host with a 128.2.*.* IP address?

    No. Our VPN setup is not intended to be used for that purpose, and there are some networking issues that make it problematic to do so.

  4. What does it mean to be connected to the VPN concentrator?

    Using the VPN concentrator means you will have an encrypted connection between your computer and the concentrator (server) for all of your traffic. The VPN concentrator allows your home machine to have access to the services that are restricted to machines with an SCS IP address.

  5. Will VPN work with my wireless home network?

    We have done this successfully with a Linksys BEFSR41 and an Apple Airport Basestation set up in "hub" mode (the basestation does not have an IP address and does not provide IP addresses to the wireless client).

  6. Will I be able to use multiple machines at home?

    You can do this with a DSL/Cable router that does NAT. We have done this successfully with a Linksys BEFVP41 and a Linksys BEFV11S4 box.

  7. Will I be able to access my machines at home from my other machine at home, when they're both using VPN?

    Yes. At one point, the Cisco VPN client or some aspect of the routers we were testing prevented machines from accessing each other when they were both using VPN. We fixed this bug when we upgraded the client.

  8. How does the tunneling work?

    The client uses split tunneling to separate your packets. Only packets going to the SCS network go down the VPN tunnel.

  9. Can I configure what goes down the VPN tunnel?

    We do not know of a way to do that.

  10. I want to have multiple VPN tunnels going at once on multiple machines, behind a Linksys box. Will that work?

    We have done this successfully with a Linksys BEFVP41 and a Linksys BEFV11S4.

  11. I cannot access the IEEE Xplore website or other websites.

    When visiting this site, the packets are not going through the SCS VPN tunnel, because the packets are not going to the SCS network.

    To access non-SCS IP address-restricted websites like IEEE Xplore from a computer on VPN, you need to use a proxy server. For more information, see http://www.library.cmu.edu/Services/remote.html (off-site link, will open in a new browser window).

Linux-specific FAQs

  1. What types of traffic do i need to allow if I am running a Linux firewall?

    If you are running a Linux firewall (for example, ipchains or iptables), be sure that the following types of traffic are allowed to pass through:
    • UDP port 500
    • UDP port 10000 (or any other port number being used for IPSec/UDP)
    • IP protocol 50 (ESP)
    • TCP port configured for IPSec/TCP
    • NAT-T port 4500
    See the Cisco Linux firewall troubleshooting tips for additional information (off-site link, will open in a new browser window).

Windows-specific FAQs

  1. Since Win2K has built-in support for VPN, why do I need to install special VPN software?

    There are a few reasons why we are using the Cisco VPN client:
    • Security: Win2K VPN support utilizes PPTP (Point-to-Point Tunneling Protocol). The Cisco VPN client uses IPSec (Internet Protocol Security) via digital certificates to establish the tunnel, and does user authentication via RADIUS (Remote Authentication Dial-In User Service) and Kerberos, using your /remote Kerberos principal.
    • Consistency: Using the Cisco VPN software provides a consistent means of configuring legacy clients, rather than having different software for each platform. We needed one VPN solution that we could deliver to all supported Windows operating systems, MacOS, and Linux.
    • Support: Using a single client allows us to provide better support and troubleshooting for problems, and makes it easier to test and integrate this software into our environment.
  2.  
  3. I can't see the network neighborhood or print to the domain printers. What can I do?

    Install the browser configuration tool from the networking downloads page. This tool provides easy browse access (via Network Neighborhood) for Windows domain resources, including the location of SCS domain workstations, servers and printers. Do not run this tool if your NT/2000/XP machine is already a member of the SCS domain.

  4. I'm currently running Black Ice (or ZoneAlarm) on my home machine. Will this interact with VPN in some way I need to know about (e.g., Do I need to unblock certain ports or machines)?

    The VPN software utilizes port 1000. Depending on your current setup, you may need to modify your Black Ice or ZoneAlarm configuration. If ZoneAlarm is set to medium security, no further configuration is necessary. If it is set to high security, the loopback address, 127.0.0.1, must be added and checked in the ZoneAlarm security configuration.

  5. The VPN client displays "stateful firewall (always on)". Is it doing its own firewall? Should I stop Black Ice?

    Do not change your VPN firewall settings. The profile that is installed with the VPN software should be sufficient for most users.

  6. I am not able to connect to the Exchange Server but the VPN is working otherwise. How do I fix this?

    The MTU size for the Cisco VPN Client must be set to the custom size of 1100

    To change this go to Start->Programs->Cisco Systems VPN Client->Set MTU

    Open up network connections to determine which connection listed is the VPN connection. Choose that connection in the set MTU window and select the custom radio button then type in the value of 1100 then click on the OK button.

    You will have to reboot your machine and restart the VPN client. You should now be able to access the Microsoft Exchange Server